Microsoft deprecates Home windows NTLM authentication protocol

Microsoft has formally deprecated NTLM authentication on Home windows and Home windows servers, stating that builders ought to transition to Kerberos or Negotiation authentication to stop issues sooner or later.

New Expertise LAN Supervisor, higher often known as NTLM, is an authentication protocol first launched in 1993 as a part of Home windows NT 3.1 and because the successor to the LAN Supervisor (LM) protocol.

Microsoft says the NTLM protocols, that are nonetheless extensively used right now, are not below lively improvement as of June and might be phased out in favor of safer alternate options.

This transfer is not shocking, as Microsoft first introduced its intention to kill off the getting old authentication protocol in October 2023, urging admins to maneuver to Kerberos and different modern authentication methods, like Negotiate.

NTLM has been extensively abused in cyberattacks often known as ‘NTLM Relay‘ assaults, the place Home windows area controllers are taken over by forcing them to authenticate in opposition to malicious servers.

Regardless of Microsoft introducing new measures to defend in opposition to these assaults, like SMB safety signing, assaults on NTLM authentication proceed.

For instance, password hashes can nonetheless be snatched and utilized in “pass-the-hash” assaults, obtained in phishing assaults, or extracted instantly from stolen Energetic Listing databases or a server’s reminiscence. The attackers can then crack the hashes to get a consumer’s plaintext password.

Aside from the weaker encryption utilized in NTLM, in comparison with extra fashionable protocols like Kerberos, the protocol’s efficiency is subpar, requiring extra community spherical journeys, and doesn’t assist single sign-on (SSO) applied sciences.

All that mentioned, NTLM is taken into account severely outdated by 2024 safety and authentication requirements, so Microsoft is deprecating it.

NTLM phase-out course of

NTLM will nonetheless work within the subsequent launch of Home windows Server and the subsequent annual launch of Home windows. Nonetheless, customers and utility builders ought to transition to ‘Negotiate,’ which makes an attempt to authenticate with Kerberos first and falls again to NTLM solely when mandatory.

Microsoft recommends that system directors make the most of auditing instruments to grasp how NTLM is getting used inside their atmosphere and establish all cases that should be thought-about in formulating a transition plan.

For many functions, changing NTLM with Negotiate might be achieved by a one-line change within the ‘AcquireCredentialsHandle’ request to the Safety Assist Supplier Interface (SSPI). Nonetheless, there are exceptions the place extra intensive modifications may be required.

Negotiate has a built-in fallback to NTLM to mitigate compatibility points through the transition interval.

Directors caught with authentication issues can take a look at Microsoft’s Kerberos troubleshooting information.

Recent articles